diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index f023ebb..61abfb9 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -15,7 +15,7 @@ concurrency: cancel-in-progress: false env: - E2E_NAMESPACE: privilegedescalation-dev + E2E_NAMESPACE: headlamp-dev E2E_RELEASE: headlamp-e2e HEADLAMP_VERSION: v0.40.1 diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml new file mode 100644 index 0000000..a2116ef --- /dev/null +++ b/deployment/e2e-ci-runner-rbac.yaml @@ -0,0 +1,35 @@ +--- +# RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance. +# CI-only test fixture — NOT for production use. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: e2e-ci-runner + namespace: headlamp-dev +rules: + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "list", "create", "update", "patch", "delete", "watch"] + - apiGroups: [""] + resources: ["services", "serviceaccounts", "configmaps", "secrets", "events"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["serviceaccounts/token"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: e2e-ci-runner-binding + namespace: headlamp-dev +subjects: + - kind: ServiceAccount + name: runners-privilegedescalation-gha-rs-no-permission + namespace: arc-runners +roleRef: + kind: Role + name: e2e-ci-runner + apiGroup: rbac.authorization.k8s.io diff --git a/scripts/deploy-e2e-headlamp.sh b/scripts/deploy-e2e-headlamp.sh index 8f7a872..43d5467 100755 --- a/scripts/deploy-e2e-headlamp.sh +++ b/scripts/deploy-e2e-headlamp.sh @@ -5,7 +5,7 @@ # a ConfigMap volume mount. No custom Docker images — the plugin is built # in CI and injected as a ConfigMap. # -# E2E resources are deployed to the `privilegedescalation-dev` namespace. Nothing +# E2E resources are deployed to the `headlamp-dev` namespace. Nothing # persists beyond the test run — teardown cleans up all created resources. # # Prerequisites: @@ -14,7 +14,7 @@ # - RBAC applied: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml # # Environment: -# E2E_NAMESPACE — namespace for E2E Headlamp (default: privilegedescalation-dev) +# E2E_NAMESPACE — namespace for E2E Headlamp (default: headlamp-dev) # E2E_RELEASE — release/resource name prefix (default: headlamp-e2e) # HEADLAMP_VERSION — Headlamp image tag (default: latest) set -euo pipefail @@ -22,7 +22,7 @@ set -euo pipefail REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)" DIST_DIR="$REPO_ROOT/dist" -E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}" +E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}" E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}" HEADLAMP_VERSION="${HEADLAMP_VERSION:-latest}" diff --git a/scripts/teardown-e2e-headlamp.sh b/scripts/teardown-e2e-headlamp.sh index 477cd1a..ccc2c1e 100755 --- a/scripts/teardown-e2e-headlamp.sh +++ b/scripts/teardown-e2e-headlamp.sh @@ -4,13 +4,13 @@ # Tears down the dedicated E2E Headlamp instance deployed by deploy-e2e-headlamp.sh. # # Environment: -# E2E_NAMESPACE — namespace to clean up (default: privilegedescalation-dev) +# E2E_NAMESPACE — namespace to clean up (default: headlamp-dev) # E2E_RELEASE — release/resource name prefix (default: headlamp-e2e) set -euo pipefail REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)" -E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}" +E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}" E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}" echo "=== E2E Headlamp Teardown ==="